Date: Thu, 09 Oct 2014 01:09:19 +0200 From: Sven Kieske <svenkieske@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Thoughts on Shellshock and beyond -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08.10.2014 23:53, Tracy Reed wrote: > While it is too late for our hardware etc. perhaps strong type > systems such as found in Haskell can help here? It is known to be > very good at avoiding undefined or unexpected runtime behavior. Too > late also for current languages to have this bolted on but if > anyone wanted to write "secure" software I'd be looking at > languages which provide some more guarantees. Too late for bash > also, of course which I suppose points us back at the original > problem. Well, for web frameworks, just take yesod (http://www.yesodweb.com/ written in haskell) as an example. to quote their site: "Turn runtime bugs into compile-time errors" I still think, this is the right direction, yes it's painful. But it's a real solution to a real (huge) fraction of the problem. Imho of course, please enlighten me with some counter arguments. Oh, here is one from myself: vendors are not liable, not even for the most serious software bugs. so there is no incentive for them to make better software. the software industry is afaik the only one which is not liable if they fuck their very own products up. do this if you're building skyscrapers, cars, medical equipment, anything, and you go to jail. the funny part is, these businesses do rely on software today, so if there's a bug, let's say in some construction software and no one notices, the skyscraper architect might get sued and go to jail, but not the programmer/vendor who wrote that shitty code. Software is too important to not have any rules in place. This was okay until the 90s (maybe), but not in the 21st century. regards Sven PS: fun fact, the only thing you _will_ get sued for are: software patents -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBAgAGBQJUNcQfAAoJEAq0kGAWDrqlKuQL/28ye2bJ8Ry9anTpfptPr8yL mSHDcQHnuKFJtVkg6bJJb0SQURJNM2djUYSUZoKCvYpyssE4B+vCgHXqN3Kf0ehz iv0Q3LPgSHAk7a+Yj+QR3uW7r+CvH7I4BI28+OYpOe5SOzSlcMG/Lulmez18mJ5K G7iOc0EB6RTT4EUrGrpAd9cSjgBgFupkvl1bgaL0UVkPqw3qpXBaWf3LULjQ60z8 qmcW9yihMSr3rT7LCtO3RYDgzFK3GSltTMYDe1jVzlbtYl6FJNZnSzssSV6OfhFG vqbmPxwtf3AXZrRTLMF+HXYr5YZiQa0jYo41E2h/tKBTNty7C5cw7PMmQVFPY9QR HfNBhWNj2fz8wLSPGcnFXw9Raz6616Z5gcaZVDwrbkWe7O8AOkiunJd91FRbnK1X V4bV/gOlfAVmOXegHdcWlUJYPNHQIHD3DU895A5OAGLuptipAvKiNagNahHonw+S SVoJvE5nrmPCoIjo3Z0ovLieSKa0+61G9cFu955fpQ== =/D4K -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.